Fundamental AWS Services – AWS Security Fundamentals – SCS-C02 Study Guide

Fundamental AWS Services

Now that you understand the shared responsibility model, it’s time to look at some essential services that are used throughout the environments and accounts in which you will be working. These essential services are compute services such as Elastic Cloud Compute (EC2), the global Domain Name System (DNS) service of Route 53, database services such as RDS and Aurora, account management services such as Control Tower and AWS Organizations, and the advisory service of Trusted Advisor. This may seem like a review of services you already know if you have taken the Cloud Practitioner, Solution Architect (Associate or Professional), or other AWS certification. Although there is no need to take or pass any other AWS certification exams before attempting the Security Specialty certification by AWS, it’s not a bad idea to get familiar with some essential services.

After reading this chapter, you should have a basic understanding of the AWS services that the exam covers. These services are also many of the core services that you use on a daily basis. There are plenty of opportunities to dig deeper into the topics presented using the links at the end of this chapter.

The following main topics will be covered in this chapter:

  • Virtual private networking/Route 53 networking
  • Compute services on AWS
  • Cloud databases
  • Message and queueing systems
  • Trusted Advisor

Technical Requirements

You will need an AWS account to access the Management Console, and you need to have already set up the CLI.

Account Management in AWS

Whether you wish to set up a new environment or are on the path to growing an existing set of accounts, the Account Management tools can help you perform these tasks in an automated and systematic manner.

Control Tower

When you are looking for one of the easiest ways to secure and govern multiple accounts in AWS, AWS Control Tower is the best choice. With AWS Control Tower, you can implement best practices when creating new accounts using Account Factory. Guardrails can be put in place, offering governance and security across the entire organization. Control Tower also allows the use of blueprints that make it easy to set up a landing zone.

Control Tower is made up of four key components:

  • Landing Zone – A landing zone is a standardized framework for managing an AWS environment and ensuring compliance with AWS best practices. Using AWS Control Tower to set up your AWS environment creates a well-architected, multi-account environment with, at a minimum, a master account, a security account (named audit by default), and a log archive account.
  • Controls – These controls, also known as guardrails, define high-level rules that can provide governance and security for your accounts and AWS environment.
  • Account Factory – This helps you provision new AWS accounts in your organization quickly and easily. Using Account Factory ensures the accounts are connected to the master billing account. The master billing account in a Control Tower or organization’s structure is the account that receives the invoices for all subsequent child accounts. Each new account must have a unique email associated with the root account.
  • Dashboard – A dashboard is a centralized user interface that lets your team of cloud administrators enable (or disable) policy enforcement, manage the organizational units for AWS Organizations, and even see non-compliant resources from a central location.

After you have completed the initial setup of your accounts using the Control Tower setup, then you will be shown a screen similar to the one in Figure 2.1.

Figure 2.1: Control Tower dashboard after setup is complete

The following subsections dive deeper into the two categories of controls.